Cyberwar Foundering on Feuds?

Share

Cyberwar Foundering on Feuds?

Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.

Some government agency workers charged with protecting critical computer systems are increasingly becoming entangled in counterproductive, time-wasting power plays, according to sources inside and outside of the agencies.

Political power plays aren't news, but the struggle between the FBI-led National Infrastructure Protection Center (NIPC) and the newly formed Homeland Security Office has many doubting that either agency will be able to perform at peak levels over the next few months.

The NIPC, established in February 1998, was assigned to protect U.S. critical systems against terrorism and other attacks, duties that have now also been assigned to the Homeland Security Office (HSO), formed in response to the Sept. 11 terrorist attacks.

Over the years the NIPC has increasingly focused on computer security, but the HSO also has a new cyber-security division.

"Homeland Defense wants the NIPC to report to them, but the NIPC believes they should be the cyber-security office," said Rob Rosenberger of security news site Vmyths.

"Fights have started to break out over the lines and boxes on Homeland Security's organization chart. The Bush administration will waste a lot of time and effort over the next few months while offices jockey for position."

Sources inside the agencies confirmed there has been some confusion and tension over who will report to whom but insist that the majority of employees in both agencies remain focused.

"This isn't the time to play political slap and tickle with each other. We need to get focused fast," said an FBI agent who requested anonymity.

But security experts are divided over whether the agencies can put power plays aside.

President Bush installed former Pennsylvania Gov. Tom Ridge as head of the Office of Homeland Security on Monday, pledging, "America is going to be prepared."

Richard Clarke, who has served as counter terrorism chief at the White House for more than a decade, will head the new Office of Cyberspace Security and will report to Ridge. But according to the presidential order that outlines his job, Ridge has little power, beyond persuasion, to compel other agencies or officials to do anything.

"I'm just not impressed with the overall United States government infrastructure assurance effort," said Richard Forno, chief technology officer for Shadowlogic.

Forno has acted as an adviser to the Department of Defense on information warfare. "Clarke actually has a clue about this stuff, but given the environment he's charged with working in, he can't be effective."

Ridge's office declined to comment on how or if Ridge will be able to coordinate efforts between his staff and agencies that have historically avoided working together.

"Yes, there are issues. Yes, Ridge can request but not compel. That will be taken advantage of by some. Understand though, times are very different now. Most people are putting all that previous pettiness aside, at least for a while. Ridge is well respected here," said the FBI agent previously quoted.

Others said that it would be difficult for the agencies to work together, but felt that the situation would be swiftly sorted out.

"Will there be clashes between the agencies? Yes. Is that OK? Well, it's normal," said security expert Fred Villella. "Like cyber-terrorism itself, this situation isn't out of control; but it isn't under control either."

Villella was the executive secretary to the president's national security adviser for emergency mobilization under the Reagan administration. He now heads up New Dimensions International, a security services company that recently introduced training against cyber-terrorism attacks.

"There will be big turf issues to be resolved with FEMA (Federal Emergency management Agency), NIPC and all of the other 'letter' agencies," said Villella. "That is inevitable. And for many, (computer) skills and getting a grip on the dimensions of cyberspace and their adversaries' capabilities are needed competencies that have yet to be acquired."

"But we do need a focus to direct attention to cyber-security. Richard Clark and Tom Ridge's combined talents and drive in the right direction will improve the approach," Villella said. "(It's) a very tough task.... They will have to screen who they are influenced by. There are those selling products like me, and there are a lot of hacker types who focus on cryptography solutions. Which of these approaches are right for the cyber-terror task? Or is there more than one solution?"

Security experts said that basic measures, such as disconnecting entire critical infrastructures from the Internet and ensuring that all software meets stringent security guidelines, would go a long way toward hardening U.S. cyber-defense.

Experts also pointed out that the government will most likely continue to be led in their efforts to lock down computer systems by the private computer security industry.

"The computer security industry guides the government, not the other way around," Rosenberger said. "Face it: if a 'virus war' broke out, our vaunted U.S. military would run like a helpless damsel to the anti-viral industry."

Hackers or no hackers, Rosenberger and Forno don't hold out much hope for governmental security experts.

"We'll see more meetings, taskforces, memos, reports etcetera," Forno said. "Will it make a difference? It depends on how OHS is structured and what authority Tom Ridge is given to force people in the government to play ball. If, as it appears now, he is only to coordinate things, it will never be effective."

"If the government does anything at all, it creates a bureaucracy," Rosenberger said. "Don't get me wrong, we need bureaucracies. And I honestly believe the Feds will someday figure out what their bureaucracy should do."

Rosenberger thinks that the NIPC will eventually come out on top of the power heap.

"I'd bet on the gun-toting agents to win this one, especially if Congress does enact a law to sentence virus writers to life in prison without possibility of parole."

A new bill called Patriot (Provide Appropriate Tools Required to Intercept and Obstruct Terrorism) – which legally classifies many hack attacks as acts of terrorism – is making its way through the House and Senate this week.